CVE-2018-19520
CVE-2018-19520 targets SDCMS 1.6 on PHP 5.x. The admin path app/admin/controller/themecontroller.php uses a check_bad function intended to block certain PHP functions (e.g., eval) but does not block preg_replace with the /e/ modifier, enabling an attacker with admin template access to execute arb...